logo

Database

Improper authorization control for web services In org.xwiki.platform:xwiki-platform-tool-jetty-resources

Description

XWiki Jetty Package (XJetty) allows accessing any application file through URL

Impact

In an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder.

It allows accessing files which might contains credentials, like http://myhots/webapps/xwiki/WEB-INF/xwiki.cfg, http://myhots/webapps/xwiki/WEB-INF/xwiki.properties or http://myhots/webapps/xwiki/WEB-INF/hibernate.cfg.xml.

Patches

This has been patched in 16.10.11, 17.4.4, 17.7.0.

Workarounds

The workaround is to modify the start_xwiki.sh script following https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10.

For more information

If you have any questions or comments about this advisory:

Attribution

Vulnerability reported by Joseph Huber.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-557492. NVD-2025-557493. OSV-2025-557494. GHSA-53gx-j3p6-2rw95. GCVE-2025-55749

References

1. https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw92. https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd3. https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e104. https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e105. https://jira.xwiki.org/browse/XWIKI-234386. https://vulncheck.com/cve/CVE-2025-557497. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-55749.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.